Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

cognito user pool custom attribute in IAM Policy Conditions with Dynamodb Fine grained access

Tags:

amazon-web-services

amazon-dynamodb

amazon-iam

amazon-cognito

I have one Cognito User Pool with a custom attribute organisation_id. One Organisation may have multiple users. There can be multiple organisations. Another Dynamodb table is used to maintain Categories which has _id and organisation_id as partition key. Categories can be owned by Organisation so that users belong to that particular Organisation perform some operation in those categories only.

Now, how can I create the IAM policy so that it takes the organisation_id instead of sub/user_id as it is explained here
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToOnlyItemsMatchingUserID",
        "Effect": "Allow",
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:BatchWriteItem"
        ],
        "Resource": [
            "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
        ],
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito:organisation_id(?)}"

                ],
                "dynamodb:Attributes": [
                    "UserId",
                    "GameTitle",
                    "Wins",
                    "Losses",
                    "TopScore",
                    "TopScoreDateTime"
                ]
            },
            "StringEqualsIfExists": {
                "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
            }
        }
    }
]}

So my main requirement is to get custom user pool attribute in IAM policy through cognito. How is that possible?

like image 553
Indrajit Dan Avatar asked Apr 20 '17 09:04

Indrajit Dan

People also ask

How do I change the attributes of an Amazon Cognito user pool after creation?

Short description. You can't change standard user pool attributes after a user pool is created. Instead, create a new user pool with the attributes that you want to require for user registration. Then, migrate existing users to the new user pool by using an AWS Lambda function as a user migration trigger.

Which techniques should you use to secure Amazon DynamoDB?

Encryption and tokenization are key to database security. Enabling encryption at rest ensures that you can only read the data stored within the DynamoDB database and DynamoDB table backups outside of the AWS account with AWS KMS encryption key permissions explicitly granted, in addition to DynamoDB table permissions.

Is Cognito user pool ID sensitive?

In summary "userPoolId" is your sensitive info and should not be exposed in your Client.

Which option allows you to assign the user pool to the API?

Answer: Instead of using the API Gateway console, you can also enable an Amazon Cognito user pool on a method by specifying an OpenAPI definition file and importing the API definition into API Gateway.

1 Answers

This is not possible. It would require IAM roles to be able to identify custom attributes from any cognito user pool. It's an interesting feature though, will discuss it with the team.

However, as an alternative you can look at Cognito identities and role base access control

http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

like image 96
Vasileios Lekakis Avatar answered Sep 19 '22 09:09

Vasileios Lekakis
Sign in to Comment

Related questions

InvalidInput error when trying to Create or Upsert a Route53 A record
AWS CloudFormation: What is causing resources creation to be cancelled and how to debug?
Where to get Buyer info such as buyer email, name etc for pending order or cancel orders in Amazon mws
Sign AWS requests using Cognito Your User Pool user using Postman
aws s3 putObject vs sync
AWS S3 Java Embedded Mock for Integration Tests
How to get a notification after AWS Cloudfront invalidation is completed?
Connection between two pods located in independent Kubernetes clusters
Elastic Beanstalk stripping Sec-WebSocket-Accept header
Accessing private s3 bucket files
AWS Cognito adminCreateUser from Lambda
Looking for API Gateway Technology that call multiple microservices [closed]
AWS Lambda execution duration randomly spikes and causes time-outs
Am I fully utilizing my EMR cluster?
Api Gateway connection with Elastic Beanstalk (client-side SSL Certificate)
How to Run Queues & Configure Laravel ENV for Amazon SQS
Escaping delimiter in Amazon Redshift COPY command
Naive install of PySpark to also support S3 access
"Fetch as Google" doesn't load React routes on S3 with CloudFront
Cannot connect to Docker PostgreSQL container in AWS EC2 instance

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!